Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 18 Jun 2019 18:58:29 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added
Message-ID:  <bug-238694-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238694

            Bug ID: 238694
           Summary: Configuring & using a customized IPFW rule set now
                    causes additional rles to be (involuntarily) added
           Product: Base System
           Version: 12.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: conf
          Assignee: bugs@FreeBSD.org
          Reporter: rfg-freebsd@tristatelogic.com

The HandBook (Section 30.4.1) describes how to enable an IPFW firewall while
using a locally customized set of IPFW filtering rules.  This basically boils
down to placing two lines, like the following, into the /etc/rc.conf file:

     firewall_enable="YES"
     firewall_type="path-to-my-rules-file"

I have been using this exact motif in /etc/rc.conf, and my own customized set
of ipfw rules for years, but I recently upgraded to FreeBSD 12.0-RELEASE.  Once
I had done so, I noticed (when I checkd using "ipfw -a list") that now, several
different IPFW rules were somehow being added to my explicitly specified IPFW
rule set, prior to my own rules.

This appears to be due to the invocation of the new /etc/rc.firewall script
which injects into ipfw several of its own IPFW rules ahead of whatever rules
the user provides within the file designated by "path-to-my-rules-file".

I verified this by finding one part of the /etc/rc.firewall script where this
was ocurring, commenting out some of the relevant lines therein, and then
rebooting the system.  Sure enough, the relevant IPFW rules that were formerly
being inserted into IPFW by /etc/rc.firewall were no longer showing up when I
did a fresh "ipfw -a list".

I believe that it would be appropriate (and would be maximally consistant with
past behavior in prior FreeBSD releases) if, when the user specifies his or her
own explicitly provided IPFW rule set, those rules are used verbatim, and are
not augmented by the /etc/rc.firewall script.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238694-227>